Le mercredi 21 février 2024 à 10:31 +0100, libor.peltan via knot-dns-
users a écrit :
  Hi Bastien and Wes,
 one of the points to understand the issue is this log message
  janv. 26 22:50:27 arrakeen knotd[3061]: notice:
[
geekwu.org.] 
 DNSSEC,
 cleared future timers of auto-managed key 20414
 In recent versions, we added a feature to Knot, that when Automatic
 key
 management is enabled, any key timers that are scheduled in the
 future
 are cleared. The reason was that auto-managed keys imported from
 Bind9
 often had those and it lead to a mess in Knot's automatic key
 management.
 It is hard to imagine for me how it could happen that this code
 cleared
 your keys' "normal" timers that ought not be in the future. Is the
 issue
 somehow reproducible for you so that we could be able to see the
 keys'
 states just before this appears? Could you at least dig a bit deeper
 down the logs to see some more history before this?
 Could you explain if you routinely or occasionally do some manual
 adjustments of the keys with keymgr?
 Thank you!
 Libor 
Hello,
I don´t usually use keymgr, only when I'm fixing things, or if I want
to make a KSK or alg. rollover. (according to git logs, the last
knot.conf modification related to dnssec was on June 22 2023)
I found this message only once in logs since august :
# grep 'cleared future timers of auto-managed' knotd.log
Jan 26 22:50:26 arrakeen knotd[3061]: notice: [durel.eu.] DNSSEC, cleared future timers of
auto-managed key 7402
Jan 26 22:50:26 arrakeen knotd[3061]: notice: [merlusina.eu.] DNSSEC, cleared future
timers of auto-managed key 46783
Jan 26 22:50:27 arrakeen knotd[3061]: notice: [
geekwu.org.] DNSSEC, cleared future timers
of auto-managed key 20414
Jan 26 22:50:43 arrakeen knotd[6154]: notice: [durel.eu.] DNSSEC, cleared future timers of
auto-managed key 64035
Jan 26 22:50:43 arrakeen knotd[6154]: notice: [
geekwu.org.] DNSSEC, cleared future timers
of auto-managed key 20799
knotd[6154] is my internal-view instance, while knotd[3061] is the
public one
only merlusina.eu. & 
geekwu.org. was broken, durel.eu. was not.
at 22:50 on Jan 26 I was probably playing boadgames in my local games
association
But actually, my logs are very strange : they jump from Feb 12 13:01 to
Jan 26 22:50
Feb 12 13:01:37 arrakeen freshclam[2243]: Mon Feb 12 13:01:37 2024 -> daily.cld
database is up-to-date (version: 27183, sigs: 2053128, f-level: 90, builder: raynman)
Feb 12 13:01:37 arrakeen freshclam[2243]: Mon Feb 12 13:01:37 2024 -> main.cvd database
is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Feb 12 13:01:37 arrakeen freshclam[2243]: Mon Feb 12 13:01:37 2024 -> bytecode.cld
database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Jan 26 22:50:00 arrakeen systemd-modules-load[580]: Inserted module
'firewire_sbp2'
Jan 26 22:50:00 arrakeen systemd-modules-load[580]: Inserted module 'dummy'
Jan 26 22:50:00 arrakeen systemd-modules-load[580]: Inserted module 'coretemp'
Jan 26 22:50:00 arrakeen systemd-sysctl[598]: Couldn't write '1' to
'net/netfilter/nf_conntrack_acct', ignoring: No such file or directory
Jan 26 22:50:00 arrakeen kernel: [    0.000000] microcode: microcode updated early to
revision 0x1d, date = 2018-05-11
Jan 26 22:50:00 arrakeen systemd-sysctl[598]: Couldn't write '1' to
'net/ipv4/conf/pacserve/mc_forwarding', ignoring: No such file or directory
Jan 26 22:50:00 arrakeen kernel: [    0.000000] Linux version 6.1.0-18-amd64
(debian-kernel(a)lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils
for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01)
Jan 26 22:50:00 arrakeen kernel: [    0.000000] Command line:
BOOT_IMAGE=/vmlinuz-6.1.0-18-amd64 root=LABEL=SSDROOT ro intremap=off reboot=cold
raid=noautodetect quiet
[...]
Jan 26 22:50:11 arrakeen Tor[3150]: Received local state file with skewed time
(/var/lib/tor/state): It seems that our clock is behind by 15 days, 23 hours, 23 minutes,
or that theirs is ahead. Tor requires an accurate clock to work: please check your time,
timezone, and date settings.
[...]
Jan 26 22:50:12 arrakeen vnstatd[2450]: Info: Latest database update is in the future (db:
2024-02-12 13:00:00 > now: 2024-01-26 22:50:12). Giving the system clock up to 5
minutes to sync before continuing.
[...]
Jan 26 22:59:48 arrakeen ntpd[3104]: IO: new interface(s) found: waking up resolver
Feb 12 21:38:02 arrakeen ntpd[3104]: CLOCK: time stepped by 1463893.399700
Feb 12 21:38:02 arrakeen ntpd[3104]: CLOCK: time changed from 2024-01-26 to 2024-02-12
So I guess the power cut messed with the computer date in a way or
another, and this is probably the thing that got timer to be purged.
Maybe I should make sure knotd starts after ntpd ^^
Regards,
--
Bastien